Hacker in the Wild: September 2014

30 September 2014

RANT!! #TakeBackOurInternet

Today was an other day of Wack-a-mole with tracking down SPAM sources at work. This is not anything out of the norm for the last 3 months, it was the what was comprised that pissed me off.

The first server I took the hammer to was a server out of Brazil, It was trying to crack into the IMAP port on the work email server. This was fixed by a block rule in iptables, but that wasn't enough for me. I track down who own the IP address, it was a medical office in south central Brazil. These fuckers cracked a med server to spread SPAM! One side of me thinks about the loss of time and medical records that could happen and the doctors not able to do there jobs and help people because of this. The other thinks about what they could do selling those records, and if the didn't they are fools! *Lucky for me I lean on the side of the former and think about all the trouble this causes.*
So, like any good hacker I tried to shut down the VNC back door they installed. I think who ever compromised the server saw my attacks and shut the server down. So they just fucked that clinic! Talk about thinking only about your self!
So on top of this I find out that one of my Pod mates who is home schooling her kids can't today because of a DDOS on the home school web site she uses. WHY WOULD YOU DDOS A HOME SCHOOL SITE!?!? I sure it's a similar group to the ones who hand off SPAM to my work server day in and day out.
Of course I couldn't find shit on the attack on the home school site, so I couldn't help in blocking it.

This leads me to my rant, WHY do we need to sit back and let this happen? The tools are out there for even the lowest of tech able people to strike back at these bot nets and stop them from keeping us from our internet. But what stops them from doing this? I'm actually asking this. What do you think would help people fight back? The US Law system does shit for us, the FBI has JUST NOW opened a Malware reporting site that I'm sure will be less then effective. The anti-virus vendors help some, but that is only if you install their product, and that will cause it's own issues. So what is a KISS way to help people protect their systems, and if they want take an active role in fighting back?

I have personally have been reporting SPAM to www.spamcop.net. you just sign up for an account and they do all the work for you. If the network owner/server owner doesn't reply to the report they black list the IP. I also actively scan and do recon on servers and report new patterns here. When I find a server that is just SPAM, I take it down so it can't spread SPAM any more. *Note: I check all WHOIS reports and services on the server before doing this. If you want to do this too, please do you home work first. Don't be an ass and take down someone's work or home server.*

I want to start a movement here, I want to take back OUR INTERNET!
Leave your ideas in the comments and let me know what you think. I hope you can come up with something that can knock these bot nets on their asses and give the people who control them a run for their money.
TAKE BACK OUR INTERNET!!!

Repost this Blog and use #TakeBackOurInternet

22 September 2014

SPAM Bots!!!

About a month ago a large attack was targeted on US server farms from the bot nets. Now this isn't an odd thing in of itself, but the results from it were a bit odd.

The SPAM

So I don't normally see the direct effects of these kinds of attacks as the company I work for is small. But we do see the secondary and tertiary effects of this in the form of SPAM.Our company gets well over 2,000 emails a day, 1,500 of them are SPAM! Most the time my filters block most of these emails, via blacklisting and some content filtering. But after this most recent attack I started seeing a new breed of SPAM. It was walking right through all my filters and took it WEEKS to get black listed. Below is an example of this new SPAM:

Return-Path: <PeterGarcia@cc34b8f738cc4489fda151ad551de4.sortut.com>
X-Original-To: ME
Delivered-To: ME
Received: from cc34b8f738cc4489fda151ad551de4.sortut.com (cc34b8f738cc4489fda151ad551de4.sortut.com [37.156.202.220])
 by ME.MAIL.localhost (ME.MAIL.localhost) with ESMTP id 72A6224FDA
 for <ME>; Thu, 18 Sep 2014 16:36:53 -0700 (PDT)
Message-ID: <Peter.2ac7115c98f53c458ff0cd5b87345e2c@cc34b8f738cc4489fda151ad551de4.sortut.com>
From: Blood Sugar Discovery  <Peter@sortut.com>
To: <ME>
Date: Thu, 18 Sep 2014 16:39:54 -0700
Subject: Info released - 9/18
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Notice - Jeremiahp
Diabetes Cure Alert

- Begin Notice - 

------------------------------------------------
Regain control of Blood Sugar levels. 
- Scientifically Proven
- Turn-around of 3 weeks
------------------------------------------------

Exposed Remedy -> http://www.sortut.com/psa/video/released/dia/assoc.html

- End Notice - 
View Doctor Report: http://www.sortut.com/psa/video/released/dia/assoc.html

stop further diabetes notices - http://www.sortut.com/68i/werg/ju76/wt.sert32
or write - TGI Services
1324 Swan Drive_Bartlesville, Oklahoma 7 4 0 0 6

I've changed the solenoid. My battery has over 12 volts, but will not crank the engine. When I turn the key, I may get one or two halfhearted attempts then nothing. When I charge the battery up to over 13.5 volts, it turns over like nothing is wrong. I've tested the ignition switch and I have continuity, it doesn't read to 000's but it beeps and goes to like 0.26 or so. I've unplugged the wire from the solenoid that comes from the ignition and I get 12.5 volts through there. It's a 4 pole solenoid. I get 12+ volts on the post with the red wire that seems to be connected to the battery. I don't get 12 volts on the starter end. And when I try to crank the engine from the ignition, I don't get 12 volts to the starter. How can I test the wire from the solenoid to the starter? Or is that even an issue? I'm at a loss. Any help will be greatly I have a 'quill' now with a grease fitting on top, however (looking inside it) it has Sealed bearings on both ends, so the grease fitting seems kinda useless on this quill , (I would think anyhow, but correct me if I'm wrong).. 

After your post about the pulley, I did put my dial indicator on today to check more accurately the pulley for run-out, & it has .029" run-out on the outer edge.. 
Hard to see by eye, but it is not as true as I thought.. But being stamped steel, would that be considered TOO much out of true ? No it doesn't sound like much.. But nothing else makes sense.. 
Your advice is Always most appreciated.. Now I have a direction to concentrate on.. I want to check for run-out on that 'quill' (spindle top) to see if it is the pulley or the spindle first.. & then test the other Good side for run-out as well.. If it's the pulley, I could possibly true it to a much better tolerance, or make it much worse.. LOL Time will tell.. I'm a bit reluctant to even touch the good side, that is still the original assembly (over 6 yrs old)..

And as I posted above, the bearings are holding up very well, it is the housing that gets the seats for the bearings beat out.

*Note: I have changed things as to not expose any info about my work, Every thing else is as I received it*

So the odd thing about this email is the last part, It's some text aboooooou a guy fixing his starter. WTF? I saw 24 plus emails like this show in my inbox at work and got reports of people getting these emails as well. I found out that the text at the bottom was scrapped from an open forum. This post is from http://www.hobbytalk.com/bbs1/showthread.php?t=421200, a post made in August this year.  The server hosting the forum was not compromised from what I could tell. So I'm guessing what ever the script was that generated this email used a web crawler to gather this text from open forums. The other emails had every thing from talking about home build airplanes to beauty tips. So it seem to be all over the board. But the oddity did stop there....

The Servers

After seeing so many of these emails getting through I started to dig into this further. I couldn't find any info on this with deep google so I dug in my self. All of direct sources of this SPAM seem to be from servers, either was looked like home run servers or long forgotten servers in datacenters for web hosting.They where a mix of Windows and Linux, about 2/3 of the servers that I tested where running Windows 2008 the rest where running Redhat kernel 2.6.x.

This pattern on its own is not so abnormal, as this is what most of the compromised boxes on the net look like from what I have seen. The bit that was abnormal was how the servers had been changed. Most the Windows servers had a very minimalist SMPT and HTTP server installed. No content on the HTTP, just some way to rediect you to another site. The SMPT server had just about everything disabled. Most of them seem to be some version of PowerMTA, an alternative MTA for windows. The Linux servers had a very limited POSTFIX server.

The HTTP was NGINX that had just about everything turned off on it.

The security on the servers where basic, but enough to keep any random person from getting in. I didn't try too hard to break in to gather more info, this was just the reconnaissance.

The Trap

After looking at the servers I started looking at the "path" that the links would take you. I must give a warring here to any one who wants to try this. Use chorme's incognito tabs for this, doing this out side of a sandbox WILL DAMAGE YOUR SYSTEM!!!

So if you open the link you will find that it just sits there for a few, then pops up with annoying add site. If you grab the site with wget -r you will something like this:

wget -r http://www.sortut.com/psa/video/released/dia/assoc.html

--2014-09-22 10:25:31-- http://www.sortut.com/psa/video/released/dia/assoc.html

Resolving www.sortut.com (www.sortut.com)... 66.172.90.246

Connecting to www.sortut.com (www.sortut.com)|66.172.90.246|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: http://affiliate.gosotrack.com/rd/r.php?sid=928&pub=220319&c1=&c2=&c3=0918864UNIE [following]

--2014-09-22 10:25:32-- http://affiliate.gosotrack.com/rd/r.php?sid=928&pub=220319&c1=&c2=&c3=0918864UNIE

Resolving affiliate.gosotrack.com (affiliate.gosotrack.com)... 173.230.238.191

Connecting to affiliate.gosotrack.com (affiliate.gosotrack.com)|173.230.238.191|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: http://tracking.routeoffers.com/aff_c?offer_id=22&aff_id=1154&aff_sub=220319&aff_sub2=SUBIDHERE&aff_sub3=SUBIDHERE&url_id=162 [following]

--2014-09-22 10:25:32-- http://tracking.routeoffers.com/aff_c?offer_id=22&aff_id=1154&aff_sub=220319&aff_sub2=SUBIDHERE&aff_sub3=SUBIDHERE&url_id=162

Resolving tracking.routeoffers.com (tracking.routeoffers.com)... 54.183.46.151

Connecting to tracking.routeoffers.com (tracking.routeoffers.com)|54.183.46.151|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: https://buyglucohealth.com/pages/report-video?AFFID=1154&C1=220319&C2=SUBIDHERE&C3=SUBIDHERE&trackslugs[]={trackslug_1}&trackslugs[]={trackslug_2}&trackslugs[]={trackslug_3} [following]

--2014-09-22 10:25:33-- https://buyglucohealth.com/pages/report-video?AFFID=1154&C1=220319&C2=SUBIDHERE&C3=SUBIDHERE&trackslugs[]=%7Btrackslug_1%7D&trackslugs[]=%7Btrackslug_2%7D&trackslugs[]=%7Btrackslug_3%7D

Resolving buyglucohealth.com (buyglucohealth.com)... 192.64.176.135

Connecting to buyglucohealth.com (buyglucohealth.com)|192.64.176.135|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: unspecified [text/html]

Saving to: `www.sortut.com/psa/video/released/dia/assoc.html'

[ <=> ] 9,540 --.-K/s in 0.005s

2014-09-22 10:25:34 (1.94 MB/s) - `www.sortut.com/psa/video/released/dia/assoc.html' saved [9540]

FINISHED --2014-09-22 10:25:34--

Total wall clock time: 2.4s

Downloaded: 1 files, 9.3K in 0.005s (1.94 MB/s)

You can see if bounces you around 4 different sites before landing you on the ad site where there are so many trackers and pop ups that it feels like the `90's all over again.

The sites that they are bounced through advertise themselves as "Social networking advertising market places." I haven't dug into this much, but from talking with my friends in the marketing world these would be the companies that promise to get your add more clicks, and thousands of more views. They just leave out that it will be views from very pissed off people or lots of unknowing old people.
The end site you land on seems to be really selling what they are saying they want to sell. Complete with all the info to comply with the CANSPAM act burried under 15 pop ups.

Questions

After all this digging I'm still left with a lot of questions. What connection does these SPAM "sources" have with the attack a month ago, if it has any connection?

What is the backend behind all of these bot servers, what packages are they using and how do they work?

Have the bot herders moved from using personal connections to servers to spread SPAM? or are the personal computers used to attack the servers?

Who is behind the command and control systems of these bot nets?

And how are these advertising "markets" connected with the bot nets?

What companies are using these tickets and how can we shed light on what is really behind this kind of marketing?

In the end I want to try to help with reducing the SPAM on the internet and making network admin's jobs easier around the world. I spend a good 60% of my work day on just SPAM.

If any of you out there have info on this please leave a comment below or give me a shout out on twitter @KD7DMP with your info.

Thanks all, until next time.

10 September 2014

Helpful Telescope Spreadsheets.

I have been into astronomy for... well as long as I can remember really. I think it started when my Dad got me a CAD print out of the space shuttle Columbia, OV-102. This was about the time I was getting into radio as well, and as a 7 year old typed a letter out on a typewriter to NASA asking about their Deep Space Network system. I didn't get much info about the DSN, but I got a ton of images from from Hubble and other deep space probes they had sent out over the years.

Sadly I wasn't really able to do much in the field with it because of a lack of money and my poor understanding of optics at the time. So it just kind of sat in the background, coming out as more of a obsession with all things NASA, ESA, and AMSAT.

This all changed when recently a member of our pod gave me a pair of telescopes she no longer had need for. This got me going viewing celestial object directly again, and after a few viewings of Jupiter and its moons, Saturn and it's Rings, and trying to find Apollo landing sites on the moon I was hooked again!!!

On top of this my cash flow had been increasing due to some contract jobs I was doing and this gave me a chance to improve my equipment. But after looking at what is out there the question was raised, "what do I really need, and what do I really get for this stuff?" OFF TO RESEARCH!!!!

After my optical principle research frenzy I came back with some very good info! Which I was able to distill down into this GDoc Spreadsheet.

Telescope/Eyepiece combo info

The Basics:

Now before you go and run off to look at the spreadsheet, I would like to explain a few things here, just to fill you in on the details.

The basic idea of an optical telescope is that it gathers light from distant sources use its Objective optical device, a parabolic mirror or convexed lense, and focuses that light on to a focal plane. This inverted image of the distance object is then magnified via the eyepiece and then sent to your eye. This basic system allows you see objects that are normally too dim for your eyes to see. Or for objects that you can see, it allows you to resolve more detail on those objects. Now there is a lot of math and such that can get involved here, but I want to start out with the practical details first, then we can get to the meat of it. ;)

Terms:

So lets getting a few terms down before we move forward:

Focal length: Distance between the Objective Optical device and the focal Plane, In millimeters.

Eyepiece Focal length: The distance between the focal plane and the the end element of the eyepiece, in millimeters.

Apparent View: How big the magnified chunk the sky looks to your, in degrees.

Actual view: The chunk of the sky that is being magnified. Most the time measured in Degrees.

Magnification: A relative number that tells you how much more you are seeing then your naked eyes.

Arcseconds: A polar measurement of an area of the sky. one arcsecond=1/3600th of a degree.

The Math:

Now, let dig into to this, first lets hit magnification. To get an idea of magnification we need to know how much you can see with your eye. Most humans have an effective view of view of 114 degrees, or about 410,400 arcseconds of the sky. Reference:Wikipedia:Field_of_view You can resolve down to about 60 arcseconds with your eye, or about 0.016 degrees.Reference: darkskydiary:arcminutes-and-arcseconds

Magnification:

So the idea here is that the telescope should be able to give use some degree more resoultion and hence a small field of view. The math for this is basic, it the focal length of the telescope over the focal eyepiece of the telescope. So you can say that magnification is inversely proportional to focal length of the eyepiece. So if your telescope has a focal length of 1100mm, and you are using a 15mm eyepiece. 1100/15=73.3 But this doesn't really give us much info, how much of the sky can you now see, what kind of resolution can you expect?

Field of View:

Lets now go through the math for figuring out the field of view now. Each eyepiece you buy for you telescope will have a spec called "apparent field of view". This is the field of view that it will magnify the chunk of the sky to so you can see. Because your field of view and resolution of vision is fixed. From this number and the magnification we can figure out the "actual field of view", which is size of the area of the sky you are actually looking at. So if we use our example above we should be able to figure out how much we can see with our 1100mm telescope and 15mm eyepiece. Now, lets assume our eyepiece has a 52 degree apparent field of view. We take this number and divide it by the magnification, in other words our actual field of view is inversely proportional to the magnification. (52/73.3=0.709 degrees) We can convert this into arcseconds to get 2,553.8.

Now, what does this number really mean?? Well we can compare this the apparent diameter of different celestial objects.

Celestial body	Angular diameter	Relative size (10 pixels per arcsecond)
Sun	31.6′ – 32.7′	28.7–29.7 times the maximum value for Venus (orange bar below) / 1896–1962″
Moon	29.3′ – 34.1′	26.6–31.0 times the maximum value for Venus (orange bar below) / 1758–2046″
Venus	9.565″ – 66.012″
Jupiter	29.800″ – 50.115″
Saturn	14.991″ – 20.790″
Mars	3.492″ – 25.113″
Mercury	4.535″ – 13.019″
Uranus	3.340″ – 4.084″
Neptune	2.179″ – 2.373″
Ceres	0.330″ – 0.840″
Vesta	0.20" – 0.64"
Pluto	0.063″ – 0.115″
R Doradus	0.052″ – 0.062″
Betelgeuse	0.049″ – 0.060″
Eris	0.034" – 0.089″
Alphard	0.00909″
Alpha Centauri A	0.007″
Canopus	0.006″
Sirius	0.005936″
Altair	0.003″
Deneb	0.002″
Proxima Centauri	0.001″

Source: Wikipedia:Angular_diameter

So if we compare this to the sun, with an angular diameter of 32.7 arcminutes, or 1,962 arcseconds, we can see our view with this setup will be 1.3 times greater in size. Or to put it a different way, if you centered the sun(while using a sun filter on your telescope, not doing that could damage your eyes) in your telescopes view with the 15mm eyepiece there would be 295.9 arcsecond on each side of the your view. So the sun would fill up a little over half your view.

Now if you tied to look at Pluto, with an apparent diameter of only 0.115 arcseconds you would have a hard time see it as it would only be .004% of your view. That is far below the resolution of the human eye and you would need a shorter focal length eyepiece for that.

How to pick the right eyepiece for the job.

So now that we have some of our basic math down, how do you know which eyepiece to use? We that depends on what you are doing. Using the chart from above you can figure out the size of the object you want to view. If the object is not on the list there are many sites out there that can help you figure out what it's angular diameter is. Once you figure that out, go to the spreadsheet, Telescope/Eyepiece combo info, and fill in the info for the eyepieces you have and your telescope. BINGO, you have the area each of your eyepieces can see! But what if it's not enough? There is a device for that!

The Barlow.

A Barlow is a device that multiples the magnification of you eyepiece. Your place the device in between your eyepiece and your telescope. So if you put it between the 1100mm telescope and our 15mm eyepiece it would be the same as using a 7.5mm eyepiece. Now on the spreadsheet, Telescope/Eyepiece combo info, I have a second sheet that includes a column for a Barlow. Now the effect on the actual view is not proportional to the barlow, so second sheet will help you figure out how much area you can see by putting the Barlow in.

Conclusion.

I hope this post has helped fill in some of the gaps about the practical details of what you need to get a good view of the sky. I also hope the spreadsheet will help speed things up. Now I have filled it in with examples, just replace those with your values.

If you have any questions or comments please leave them below.

I also want to thank Jay Reynolds Freeman for his page http://old.observers.org/beginner/eyepieces.freeman.html

It was the main inspiration for this post and the source of the math in the spreadsheet and this post. He has a lot of good practical info on the page, you should really check it out.

04 September 2014

Things you wouldn't think of as a "hack".

There are many people out there that think you have to know something about coding or electronics to be a hacker. But there are many non-tech ways to hack.
A good example is a guest post my partner Andrea did on Offbeat Home.
Why damaged tablecloths may be the most surprisingly useful item in your home
Here simply simply asking about damaged tablecloths at your local rental store could get you some useful gear.
This is also a great example of look in places that you wouldn't think of looking.
Andrea also found found a good portion of the parts for this DIY thresher.
*soon to come post from Andrea on that*

One of our local scrap places sells these used plastic barrels for $20. I had the steel 75 gallon drum sitting around my farm. The strap was found along the rail road tracks. The motor was sitting in my pole barn, and the better arms where built out of old lumber laying around both of our places.
There are no microcontrollers, no computers at all, just good old fashion farm hacking.

And this is just example of this, there are many many more out there on the net.
So just remember, you don't have to be a tech wizard to be a hacker.

Keep on hack'n!!